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Abstract 

c . 

^ We present a pairwise normal form for finite-state shared memory concurrent programs: all variables 

are shared between exactly two processes, and the guards on transitions are conjunctions of conditions 
over this pairwise shared state. This representation has been used to efficiently (in polynomial time) 
synthesize and model-check correctness properties of concurrent programs. Our main result is that any 
finite state concurrent program can be transformed into pairwise normal form. Specifically, if Q is an 
' arbitrary finite-state shared memory concurrent program, then there exists a finite-state shared memory 

, concurrent program P expressed in pairwise normal form such that P is strongly bisimilar to Q. Our 

^ ' result is constructive: we give an algorithm for producing P, given Q. 
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1 Introduction 



The state explosion problem is recognized as a fundamental impediment to the widespread appHcation of 
mechanical finite-state verification and synthesis methods, in particular, model-checking. The problem is 
■ particularly severe when considering finite-state concurrent programs, as the individual processes making up 

such programs may be quite different (no similarity) and may be only loosely coupled (leading to a large 
i number of global states). 

QP ■ In previous work [1, 2, 5], we have suggested a method of avoiding state-explosion by expressing the 

synchronization and communication code for each pair of interacting processes separately from that for other 
(even intersecting) pairs. In particular, all shared variables are shared by exactly one pair of processes. This 
"pairwise normal form" enables us, for any arbitrarily large concurrent program, to model-check correctness 
properties for the concurrent compositions of small numbers of processes (so far 2 or 3) and then conclude that 
' these properties also hold in the large program. If P is a concurrent program consisting of K processes each 

having 0{N) local states, then we can veriiy the deadlock freedom of P in 0{K^N^b) iime^ or 0{K^N'^) 
time, using either of two conservative tests [5], and we can verify safety and liveness properties of P in 
0{K'^N'^) time [1, 2]. 

A key question regarding the pairwise approach is: does it give up expressive power? That is, in requiring 
synchronization and communication code to be expressed pairwise, do we constrain the set of concurrent 
programs that can be represented? In this paper, we answer this question in the negative: we show that 
for any concurrent program Q, we can (constructively) produce a concurrent program P that is in pairwise 
normal form, and that is strongly bisimilar to Q. 

The rest of the paper is as follows. Section 2 presents our model of concurrent computation and defines the 
global state transition diagram of a concurrnt program. Section 3 defines pairwise normal form. Section 4 
presents our main result: any finite-state concurrent program can be expressed in pairwise normal form. 
Section 5 discusses related work, and Section 6 concludes. 



^ b is the maximum branching in the local state transition relation of a single process 
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2 Technical Preliminaries 



2.1 Model of concurrent computation 

We consider finite-state shared memory concurrent programs of the form P = Pi\\ ■ ■ ■ \\Pk that consist of a 
finite number n of fixed sequential processes Pi, ■ ■ ■ , Pk running in parallel. Each Pj is a synchronization 
skeleton [11], that is, a directed multigraph where each node is a (local) state of Pi (also called an i-state 
and is labeled by a unique name (s^), and where each arc is labeled with a guarded command [9] Bi Ai 
consisting of a guard Bi and corresponding action Ai. Each node must have at least one outgoing arc, i.e., 
a skeleton contains no "dead ends." With each Pi, we associate a set AVi of atomic propositions, and a 
mapping Vi from local states of Pi to subsets of APi'. Vi{si) is the set of atomic propositions that arc true 
in Si. As Pi executes transitions and changes its local state, the atomic propositions in APi are updated. 
Different local states of Pi have different truth assignments: Vj(si) ^ Vi{ti) for Sj ^ ti. Atomic propositions 
are not shared: APi D AVj = when i ^ j. Other processes can read (via guards) but not update the 
atomic propositions in APi. We define the set of all atomic propositions AV — APi U • • • U AVk- There is 
also a set SH = {xi, . . . ,Xm} of shared variables, which can bo read and written by every process. These 
are updated by the action Ai. A global state is a tuple of the form (si, . . . , Sj^, vi, . . . , v^) where is the 
current local state of Pi and vi, . . . , Vm is a list giving the current values of xi, . . . , Xm, respectively. A guard 
Bi is a predicate on global states, and so can reference any atomic proposition and any shared variable. An 
action Ai is any piece of terminating pseudocode that updates the shared variables.^ We write just Ai for 
true Ai and just Bi for Bi skip, where skip is the empty assignment. 

We model parallelism as usual by the nondeterministic interleaving of the "atomic" transitions of the 
individual processes _P,. Let s = {si, . . . , Si, . . . , sk ,vi, . . . , v„,) be the current global state, and let Pi contain 
an arc from node Sj to s'i labeled with Bi Ai. We write such an arc as the tuple (sj, Bi Aj, s-), and 
call it a Pi-arc from Si to s-. We use just arc when Pi is specified by the context. If Bi holds in s, then 
a permissible next state is s' = (si, . . . , s'i, . . . , sk, v[, . . . , w'„) where v'l, . . . , are the new values for the 
shared variables resulting from action Ai. Thus, at each step of the computation, a process with an enabled 
arc is nondeterministically selected to be executed next. The transition relation R is the set of all such 
(s,i,s'). The arc from node ,s; to s^ is enabled in state s. An arc that is not enabled is blocked. Our model 
of computation is a high-atomicity model, since a process Pi can evaluate the guard B^, execute the action 
Ai, and change its local state, all in one action. 

Recall that we define a global state to be a tuple of local states and shared variable values, rather than 
a "name" together with a labeling function L that gives the associated valuation, A consequence of this 
definition is that two different global states must differ in either some local state or some shared variable 
value. Since we require different local states to differ in at least one atomic proposition value, we conclude 
that two different global states differ in at least one atomic proposition value or one shared variable value. 

We define the valuation corresponding to a global state s = {si, . . . , Si, . . . , sk, 
vi, . . . ,Vm) as follows. For an atomic proposition pi G APi'. s{pi) — true if pi S Vi{si), and s{pi) = false if 
Pi ^ Vi{si). For a shared variable xi, 1 < (. < m: s{xe) = vt. We define slAV to be the set {p G AV \ s{p) = 
true} i.e., the set of propositions that are true in state s. s\AP is essentially the projection of ,s onto the 
atomic propositions. Also, s\i is defined to be Si, i.e., the local state of Pi in s. We also define s\SH to be 
the scit {{p, s{x)) I X € SH}, i.e., the set of all pairs consisting of a shared variable x in SH together with 
the value that s assigns to x. 

Let St be a given set of initial states in which computations of P can start. A computation path is a 
sequence of states whose first state is in St and where each successive pair of states is related by R. A state 
is reachable iff it lies on some computation path. Since we must specify the start states St in order for the 
computation paths to be well-defined, we re-define our notion of a program to be P = {St, Pi || • • • || Pk), i-e., 
a program consists of the parallel composition of K processes, together with a set St of initial states. 

For technical convenience, and without loss of generality, we assume that no synchronization skeleton 
contains a node with a self- loop. The functionality of a self- loop (e.g., a busy wait) can always be achieved 

^We will only use straight-line code in this paper, so termination is always guaranteed. 
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by using a loop containing two local states. Thus, a transition by Pj changes the local state of Pi, and 
therefore the value of at least one atomic proposition in AVi- Hence, no global state s has a self loop, i.e., 
a transition by some P, both starting and finishing in s. 

For a local state Si, define {s,} as follows: 
Definition 1 (State-to-Formula Translation) 

w="( A ^ ( A -py 

where p ranges over AVi . 

{si} converts a local state into a prepositional formula over AVi- 

If s is a global state and P is a guard, we define s(P) by the usual inductive scheme: ,s(".t = 
iff s{x) = c, s(Pl A P2) = true iff s(Pl) = true and s(P2) = true, s(-.Pl) = true iff s(Pl) 
s{B) = true, we also write s \= B. 

2.2 The Global State Transition Diagram of a Concurrent Program 

Definition 2 (Global state transition diagram) Given a concurrent program P = Pi|| • • • \\Pk and a 
set St of initial global states for P, the global state transition diagram generated by P is a Kripke structure 
M — (St, S, R) given as follows: (1) S is the smallest set of global states satisfying (1.1) St C S and (1-2) if 
there exist s E S,i & W]'^ ? and u such that {s,i,u) is in the next-state relation defined above in Section 2.1, 
then u € S, and (2) R is the next-state relation restricted to S. 

We define strong bisimulation in the standard way. 

Definition 3 (Strong Bisimulation) Let M = {St, S, R) and M' = {St' , S' , R') be two Kripke structures 
with the same underlying set AV of atomic propositions. A relation B C S x S' is a strong bisimulation iff: 

1. if B{s, s') then s \AP = s' \AP 

2. if B{s, s') and {s, i,u) e R then 3u' : {s', i, u') G P' A B{u, u') 

3. if B{s, s') and {s', i, u') £ R then 3u : {s, i,u) G RA B{u, u') 

We also define ~ to be the union of all strong bisimulation relations: 
~ = \^{B : B is a strong bisimulation}. 

We say that M and M' are strongly bisimilar, and write M ~ M', if and only if there exists a strong 
bisimulation B such that Vs e St, 3s' € St' : B{s's') and Vs' e St', 3s G St : B{s's'). 

3 Pairwise normal form 

Let ®, (x) be binary infix operators. A general guarded command [2] is either a guarded command as given 
in Section 2.1 above, or has the form Gi © G2 or Gi (E) G2, where Gi, G2 are general guarded commands. 
Roughly, the operational semantics of Gi © G2 is that either Gi or G2, but not both, can be executed, and 
the operational semantics of Gi © G2 is that both Gi or G2 miist be executed, that is, the guards of both 
Gi and G2 must hold at the same time, and the bodies of Gi and G2 must be executed simultaneously, as 
a single parallel assignment statement. For the semantics of Gi © G2 to be well-defined, there must be no 
confiicting assignments to shared variables in Gi and G2 . This will always be the case for the programs we 
consider. We refer the reader to [2] for a comprehensive presentation of general guarded commands. 

^We use [K] for the set consisting of the natural numbers 1, . . . ,K. 



3 



Definition 4 (Pairwise Normal Form) A concurrent program P = Pi|| • • • \\Pk is in pairwise normal 
form iff the following four conditions all hold: 

1. every arc ai of every process Pi has the form 

«i = (si, (8)jg/(i) ®£G{i,....nj} ^ A^g^ti), where Bj^ — > is a guarded command, I is an irreflex- 
ive symmetric relation over [K] that defines a "interconnection" (or "neighbors") relation amongst 
processes, and I{i) = {j \ {i,j) € I}, 

2. variables are shared in a pairwise manner, i.e., for each {i,j) G I, there is some set STiij of shared 
variables that are the only variables that can be read and written by both Pi and Pj, 

3. Bf^ can reference only variables in SHij and atomic propositions in APj, and 
4- A^g^ can update only variables in SHij. 

For each neighbor Pj of Pi, (Bee[i:n]Bi ^ Alf, specifies n alternatives — > A^^, 1 < £ < n for the 
interaction between Pi and Pj as Pi transitions from Si to ti. Pi must execute siich an interaction with each 
of its neighbors in order to transition from Si to ti. We emphasize that / is not necessarily the set of all 
pairs, i.e., there can be processes that do not directly interact by reading each others atomic propositions 
or reading/ writing pairwise shared variables. We do not assume, unless otherwise stated, that processes are 
isomorphic, or "similar." 

We use a superscript / to indicate the relation I, e.g., process P/, and P|-arc af . We define aj. start = Sj, 
al-guardj = V^e{i,...,nj} -^i.^^ ^^'^ af. guard = /\j^jf^^-^ai.guardj. If P^ = P/ || . . . || P^ is a concurrent 

program with interconnection relation J, then we call P^ an I-system. For the special case when / = 
{(j-ij) I ^li G [^]ii 7^ j}i i-C-, I is the complete interconnection relation, we omit the superscript /. 

In pairwise normal form, the synchronization code for P/ with one of its neighbors Pj (i.e., (Bee{i....,nj}Bi e ~' 
A-l g) is expressed separately from the synchronization code for P/ with another neighbor P^ (i.e., ©£g{i,...,nfc}-B*^, 
A'-f) We can exploit this property to define "subsystems" of an /-system P as follows. Let J C I and 
range{J) = {i \ 3j : € J}. If a{ is a arc of P/ then define af = {si,'S)j^j{^i) ©fg[„] — » Aj^g,ti). 
Then the J-system P'^ is Pj^ || ... || Pj^ where = range{J) and Pj consists of the arcs 

{af I a| is a arc of P-}. Intuitively, a J-system consists of the processes in range{J), where each pro- 
cess contains only the synchronization code needed for its J-neighbors, rather than its /-neighbors. If 
J = {{i- i}} for some i,j then Pj is a pair-system, and if J = {i, A;}} for some i,j,k then Pj is a 

triple- system. For J C I, Mj = {Stj,Sj,Rj) is the GSTD of P^ as defined in Section 2.1, and a global 
state of P'' is a J-state. If J = {{i,j}}, then we write M^- = {Stij , Sij , Rij) instead of Mj = {Stj, Sj, Rj). 

In [1, 2, 4] we give, in pairwise normal form, solutions to many well-known problems, such as dining 
philosophers, drinking philosophers, mutual exclusion, A;-out-of-n mutual exclusion, two-phase commit, and 
replicated data servers. We conjecture that any finite-state concurrent program can be rewritten (up to strong 
bisimilation) in pairwise normal form. The restriction to pairwise normal form enables us to mechanically 
verify certain correctness properties very efiiciently. Recall that K is the number of processes, b is the 
maximum branching in the local state transition relation of a single process, and N is the size of the largest 
process. Then, safety and liveness properties that can be expressed over pairs of processes can be verified 
in time 0{K^N^) by model-checking pair-systems, [1, 2], and deadlock-freedom can be verified in time in 
0{K^N^b) or 0{K^N^) using either of two conservative tests [5], which in turn operate by model checking 
triple-systems. Exhaustive state-space enumeration would of course require 0{N^) time. 

4 The Pairwise Expressiveness Result 

Let Q = {StQ,Q\\\ ■ ■ ■ WQk) be an arbitrary finite-state shared memory concurrent program as defined in 
Section 2.1 above, with each process Qi having an associated set AVi of atomic propositions and with shared 
variables x\,. . ., Xm- The transformation of Q to pairwise normal form proceeds in three phases, as given in 
the sequel. 
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TRANSFORM(Mq, M^) 

St'q := Stg; Sq := Sq; R'q := Rq; 
repeat until there is no change in Mq 

let s be a state in Mq such that \in-procs{s)\ > 1; 
forall i e in-procs{s) do 

create a new marked state such that s* lAV = s \AV, s' iSTi. = s iSTi 
if s e StQ then SI'q ^ St'g U {s*} endif; 

forall j, u : {s, j, u) e Rq do Rq ^ R'q U {(s% j, u)} endfor; 
forall u : (u, i, s) G i?Q do -Rq ^ R'q U {(u, i, s*)} endfor; 
St^ - - {s}; 

remove all transitions incident on s from R'q 
endfor 
endrepeat 



Figure 1: Transformation of Mq so that all incoming transitions are labeled with the same process index. 

4.1 Phase One 

First, we generate Mq, the GSTD of Q, as given by Definition 2. By construction of Definition 2, all states 
in Mq are reachable. We then execute the algorithm given in Figure 1 on Mq which transforms Mq intro 
a Kripke structure Mq = {St'Q, S'q, R'q) which is bisimilar to Mq and which has the property that all 
incoming transitions into a state arc labeled with the same process index. This is not strictly necessary, but 
significantly simplifies the transformation to pairwise normal form. 

Define in-procs{s) = {i & [K] \ 3s' : {s',i,s) S Rq}- We also introduce a new shared variable in whose 
value in a state s will be the process index that labels the transitions incoming into s. 

Proposition 1 Procedure TRANSFORM terminates. 

Proof. Each iteration of the repeat loop (line 2) reduces the number of states s such that \in-procs{s)\ > 1 
by one. Since Mq is initially set to Mq, which is finite, this cannot go on forever. □ 

Proposition 2 Mq ^ Mq is a loop invariant of the repeat loop (line 2) o/ TRANSFORM. 

Proof of Proposition 2. Proof. Let no be the number of iterations that the repeat loop executes. Let 
M" = (6'r,S",i?") be the value of M'q at the end of the n'th iteration, (for all n < no) with M° being 
the initial value Mq. We will also use the superscript n for states in M", when needed. We show that 

Vn : < n < no : Af""^ - M". 

Consider the n'th iteration of the repeat loop. In this iteration, M" results from M"~^ by deleting 
some state s and adding some states s'^ ...s'^, where {ii,...ii} = in-procs{s). Since each of s'^ ...s^'- 
have the same successor states as s, and agree with s on the values of all atomic propositions, we have 
s ~ s*\...,s ~ s'*. Let u be an arbitrary predecessor of s in M"~^, i.e., (^""^,^',5) G where 
indicates the occurrence of u in M"~^. At the end of the iteration, we have (u", j, s^) e R^. Since s ~ s-' , 
we have u'^~^ ~ it", i.e., the occurrence of u in M""'^ is bisimilar to the occurrence of u in M". Since all 
other states in M"~^ and M" have an unchanged set of successors, we conclude that M"~^ ~ M". 

By a straightforward induction on n, and using the transitivity of ~, we can show that Vn : < n < ng : 
M° ~ M". Thus M° = M"". Now Mq = M° and = M"o, and the proposition is established. □ 
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Proposition 3 Upon termination of procedure TRANSFORM, 

(1) M'q'-- Mq, and 

(2) every state s in Mq satisfies \in_procs{s)\ < 1. 

Proof. (1) follows from Proposition 2. (2) follows immediately fom inspecting line 2 of procedure TRANSFORM. 
□ 

For all s € S'q such that \in-procs{s)\ = 1, define in{s) to be the unique i such that 3s' : {s',i,s) G R'q. 

Proposition 4 Upon termination of procedure TRANSFORM, for any two states s, u in Mq, s \AV ^ u \AP 
or s\SH ^ u\SH or in{s) ^ in{u). 

Proof. Immediate by construction of procedure TRANSFORM. □ 

4.2 Phase Two 

We exploit the unique incoming process index property of Mq to extract a program P = {Stp, -Pi || • • • \\Pk) 
from Mq such that P is bisimilar to Q = {StQ,Q\\\ ■ ■ ■ \\Qk) and P is in pairwise normal form. The 
interconnection relation / for P is the complete relation, and so we omit the superscripts I on P and Pj. P 
operates by emulating the execution of Q. In the sequel, let i,j,k implicitly range over [K], with possible 
further restriction, e.g., i ^ j. With each process Pi we associate the following state variables, with the 
indicated access permissions and purpose 

• The atomic propositions in AVi. These are written by Pi and read by all processes. For each 
process Pi, these enable Pi to emulate the local state of Qi, which is defined by the same set AVi of 
atomic propositions. 

• A shared variable x\- for every x G STL and j G [K]. These arc written by Pi and read by Pj. 
These enable Pi to emulate the updates that Qi makes to x. When Pj is the last process to have 
executed, any other process Pj will read x\j to find the correct emulated value of x, since this value 
will have been computed by Pi and stored in x\j for all j G [K]. For technical convenience, we admit 
x\^. We select some i G [K\ — {i} arbitrarily and define x\^ to be shared pairwise between Pj and P^. 
This is needed to conform technically to Definition 4. P^ will not actually reference x\^. 

• A timestamp tl for every j G \K]. These are written and read by Pj only. Timestamps have values 
in {0, 1, 2}. We define orderings <o, >o on timestamps as follows [8]: <o 1, 1 <o 2, and 2 <o 0, and 
t >o t' iff t' <o t. Note that is not transitive. The purpose of tj and tj is to enable the pair of 

processes Pj and Pj to establish an ordering between themselves by computing <o tj. If t- >„ tj, 
then Pj executed a transition more recently than Pj, and vice- versa. The timestamp t] is unused, so 
we do not worry about initializing it, or what is value is in general. 

• A timestamp vector tv^j for every j G [K]. A JC-tupIe whose value is maintained equal to 
{t\, . . . ,tf-). It is written by Pj and read by Pj and Pj. Its purpose is to allow Pj to communicate to Pj 
the values of Pj's timestamps w.r.t. all other processes. By reading all tvlj, i G [K] — {j}, process Pj 
can correctly infer the index of the last process to execute. This allows Pj to read the correct emulated 
values of all shared variables. We use tv],.k to denote the /c'th element of tv],, which is the value of t'f . 
For technical convenience, we admit tvl^. We select some I G [K] — {i} arbitrarily and define tvl^ to be 
shared pairwise between Pj and Pi. This is needed to conform technically to Definition 4. Pi will not 
actually reference to-j. 

For all the above, the order of subscripts does not matter, e.g., tv\j and tu*j are the same variable, etc. 

The essence of the emulation is to deal correctly with the shared variables. This depends upon every 
process being able to compute the index of the last process to execute, as described above. Define the 
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auxiliary ("ghost") variable last to be the index of the last proeess to make a transition. As described above, 
every process Pj can compute the value of last {last is not explicitly implemented, since doing so would 
violate pairwise normal form). Then, Pj reads the variable x\'^ll j that it shares with Piast to find an up 
to date value for the variable x in Q. Together with the unique incoming process index property of Afg, 
this allows Pj to accurately determine the currently simulated global state of Mq. Pj can then update its 
associated shared variables and atomic propositions to accurately emulate a transition in Mq. 

Let Mp be the GSTD of P, as given by Definition 2. We will define P = {Stp, Pi || • • • ||Pr-) so that 
and Mp are bisimilar. 

We start with Stp. For each initial state uq of Mq, we create a corresponding initial state ro & Stp so 
that: 

ro \AV = uo \AV 

NxeSH,i,3'^0{x\j) = uo{x) 

Now for the bisimulation between Mq and Mp to work properly, we will require that in{u) = s{last), where 

u,s are bisimilar states of Mq, Mp, respectively. It is possible, however, that some initial state uq of Mq 
does not have an incoming transition, and so in{uo) is undefined. We deal with this as follows. 

Call an initial state (of either Mq or Mp) that does not have an incoming transition a source state. Since 
we defined the corresponding ro above so that x'lj has the correct value (namely uq{x)) for all we can 
let any process be the "last" , as determined by the timestamps. Thus, for a source state uq in Mq and its 
corresponding source state ro in Mp, we set: 

r 1 if i = 1 Aj 7^ 1 
ro{ti)^{ 0ifi7^lAj = l 

where X denotes a "don't care," i.e., any value in {0, 1, 2} can be used. This has the effect of making Pi the 

"last" process to have executed in a source state, i.e., setting ro{last) = 1. We now extend the definition of 
in to source states by defining in(uo) = 1 for every source state uq G StQ. Together with the fact that states 
in Mq are uniquely determined by the atomic proposition and shared variable values, this automatically 
takes care of the bisimulation matching between source states in Mq and source states in Mp, without the 
need for an extra case analysis. Note also that in{u) is now defined for all states u in Mq. 

For an initial state Uq of Mq that is not a source state, and its corresponding initial state ro in Mp, we 

set: 

{1 if i = in(uo) Aj^ in{uo) 
if i 7^ in{uo) Aj = in{uo) 
X \{ in{uo) Aj^ in{uQ) 

where again X means "don't care." This has the effect of setting ro{last) = m(uo), as required. 

For all initial states ro e Stp, whether thay are source states or not, we set the timestamp vector values 
so that: 

K,j,kro{tvtj.k) = ro{t^) 



For each transition {u,i,v) in Mq. we generate a single arc ARC"'^ in Pi as follows. ARC^'^ starts in 
local state u\i of Pj and ends in local state v\i of Pj. Let in{u) = c. Then the guard P"'" of ARC^'^ is 
defined as follows: 

B"'" £L {last = c) A Aj^iiulj} A {K^^snKi = 
The first conjunct checks that the last process that executed is the process with index in{u). The second 
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step{t, t') 

Precondition: Q <t,t' <2, that is, t, t' are timestamp values 

if t >o t' then return(f) 

else 

if t = At' = 1 then return(2) endif ; 
it t = I At' = 2 then return(O) endif; 
if t = 2At' = then return(l) endif; 

endif 



Figure 2: The step procedure. 

conjunct chocks that aU atomic propositions have the values assigned to them by global state u. The third 
conjunct checks that all shared variables have the values assigned to them by global state u. 

The action A^'" of ARC"'" is defined to be 

Wj^i ti := step{t{,tv}i.j); 
||,tr^:= (4,..., if); 
\\j,xeSH xlj :=v{x) 

where step{t,t') is given in Figure 2. This cannot be factored into pairwise actions because all the 

are used to update all the tvlj. The solution is to make the t-f part of the local state of Pi. We do this in 
phase 3 below. For now, we show that program P with the arcs given by ARC^'" = {u\i, S"'" — > A^''",v\i) 
is bisimilar to program Q. 

Proposition 5 The following are invariants of P: 

1. Aij,u^Mi-k = t^ 

2. /\,{{last = i) = /\^^^t> >ot]) 

Proof. By construction of P: Stp is defined so that the initial states all satisfy the above, and the actions 
A^'^ of every process Pi of P are defined so that their execution preserves the above. □ 

Definition 5 Define txi C S'q x Sp as follows. For u £ S'q, r £ Sp, uixir iff: 

1. u\AV^r\AV 

2. in(u) = r(last) 

3- A,esn,kr{last) = /c =^ {Ku{x) = r(x|J) 



Theorem 6 \x is a strong bisimulation 

Proof of Theorem 6. Proof. Let u £ S'q, r G Sp, and uixir. We must show that all three clauses of 
Definition 3 hold, that is: 
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1. if utxir then ulAV = r\AV 

2. if uixir and {u,i,v) e Rq then 3s : (r, i,s) e Rp A vxis 

3. if uDxir and {r,i,s) € Rp then 3v : {u,i,v) G Rq Av\xis 

Clause 1 holds by virtue of clause 1 of Definition 5. 

Proof of clause 2. Assume {u,i,v) € Rq, and let in{u) = c. Wc show that there exists s such that 
(r, i, s) e Rp and vtxis. By our construction of P above, the transition {u, i, v) generates the arc ARC^'^ in 
Pj. By definition, the guard B^'"" of ARC^'^ is 

{last = c A Aj^iiuljj A {A^^snKi = (a) 

Now by Definition 5 and wtxjr. wc have in{ii) = r{last). Hence r \= last = c. Also by Definition 5 
and ttcxir, we have u\AV = rlAV. Hence r \= Aj^il^t?!- Again by Definition 5 and uJx\r, we have 
AxeSH'^i}"'^^) = c ^ u{x) = r{x%. Hence A^eSH, "(a^) = ri.^'c^)■ And so r h iAxesn^cj = ^i^))- 

Since r satisfies all three conjuncts of (a), it follows that the guard of ARC"'^ is true in state r, and 
therefore ARC^'^ is enabled in r. By Proposition 5 and inspection of the action ^4"'" of ARC^'^ , executing 
of ARC^'^ leads to a state s such that 

s{last) = i and s\AV = v\AV and {Aj x\j = v{x)). 

By Definition 5, we have ucxis, as required. 

Proof of clause 3. Assume (r, i,s) € Rp. We show that there exists v such that {u,i,v) G Rq and uixs. 

By our construction of P above, the transition (r, z, s) results from executing an arc ARCf'^ in Pj, 
for some w,v. Let in{w) = a. By definition of ARC^'^, we have r \= Aj^^ii'^^j}' and also r\i = w\i. 
Hence, by the definition of {w} (Definition 1), rlAV = wlAV. Also by definition of ARC^'^ , we have 
r{last) = in{w) = c A (A^^sn'^l^ci) = ^i^))- Hence: 

r{last) = in{w) = c and rlAV = w\AV and (Aa;e5w'"(^ci) = w{x)). (b) 

Since uixir, we have 

rilast) = m(n) and ulAV = r\AV and [AxeSHMZii) = 
Prom (b), r{last) = c. Hence 

r{last) = in{u) and u\AV = r\AV and (AxeSH '^i^ci) = u{x)). (c) 

Prom (b,c) we have 

in{w) = in{u) and wlAV = u\AV and (Axesn"^^^^ ~ u{x)). (d) 

Since all global states differ in either some atomic proposition or some shared variable, or some incoming 
transition, by Proposition 4, we conclude from (d) that w = u. 

By Proposition 5 and inspection of the action A"'" of ARCf'^, executing ARC^'^ can only lead to a state 
s such that 

s{last) = i and s\AV = v\AV and {Aj xlj = v{x)). 
By Definition 5, we have vtxis, as required. □ 
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Corollary 7 ~ Mp. 

Proof. From Definition 5 and our definition of the initial states of P, we see that for every initial state uq 
of Mq, there exists an initial state ro of Mp such that uq Xiro, and vice- versa. The result then follows from 
Theorem 6 and Definition 3. □ 



4.3 Phase Three 

We now express ARC^'^ in a form that complies with Definition 4, that is, as <Xije7(i) ©£e{i....,nj} Bj f, f , 

where ^ can reference only variables in SHij and atomic propositions in APj , and Aj ^ can update only 
variables in SHij. Recall that ARC^'" = {u\i,Bf''" A^''",v\i). For the rest of this section, let in{u) = c. 
First consider Bf'''. By definition B^'"" = {last = c) A /\j^,\u\j} A {AxGSH^ci = ■"(^))- ^o^^ i'^^Jl is a 
propositional formula over APj, and so /\j-ii\u\j} is a conjunction of propositional formulae over AVj, and 
so it poses no problem. Likewise, since (A^esw ^ci — ■"(^)) a conjunction over pairwise shared variables, 
it also is unproblcmatic. last = c is not in the pairwise form given above since it refers to the ghost variable 
last. Note that in{u) is a constant, and so is not problematic in this regard. 

Now last = c checks that the last process to execute is Pc- In terms of timestamps, it is equivalent to 
Aj5^c >o tj, i.e., Pc has executed more recently than all other processes. However, the timstamps tj are 
inaccessible to Pj, and the t^ are accessible to Pi only in the special case that c = i, which does not hold 
generally. The purpose of the timestamp vectors is precisely to deal with this problem. Recall that tv^^.j is 
maintained equal to t^, and tvj^.c is maintained equal to f^j. Hence, we replace last = c by the equivalent 

^j^cK^■j>otvj,.C. (*) 

which moreover can be evaluated by P,, since it refers only to timestamp vectors that are accessible to P,. 
Now the expression tv^^.j tvj^.c refers to tv^^, which is shared by Pc and Pj, and tojj, which is shared 

by Pj and Pj. Thus it is not in pairwise form. We fix this as follows, tv'^^.j >o tvj,-.c is equivalent to 

{tv'^^.j = A tvj..c = 1) V {tv^i.j = 1 A tvj-.c = 2) V {tv^^.j = 2 A tvj^.c = 0), by definition of >„. Hence, (*) 

is equivalent to 

AJMK^■J = A tvj^.c = 1) V {tv-^.j ^ 1 A tvl.c = 2) V {tv^^^.j = 2 A toj,.c = 0). 

This formula has length in 0{K). We convert this to disjunctive normal form, resulting in a formula of 
length in 0{exp{K)). Let the result be Di V ... V Dn for some n. Each D^, 1 < m < n is a conjunction 
of literals, where each Hteral has one of the forms {tv^^.j op ts), {tVj^.c op ts), where op G {=57^)5 and 
ts e {0,1,2}. Specifically, 

= LIT^{tv%.j) A A,-^{c,i} LITl{tvj,.c), 

where LIT^{tv^^.j) is a conjunction of literals of the form tv^^^.j op ts, and LITf^{tVj^.c) is a conjunction of 
literals of the form iwjj.c op ts. Moreover, since logical equivalence to (*) has been maintained, we have 

{Di V . .. VZ)„) = {last = c). 

For m G {1, . . . , n}, define: 

Pr(m) ^ A Aj^iluljj A (A.e5H<i = «(^)) 

where we abuse notation by using B"'" as the name for the "array" of guards (m), and also as the name 
for the guard of Ai?C"'", as defined above. The use of the index (m) will always disambiguate these two 
uses. 
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We now define the set of arcs ARCSf'^ to contain n arcs, a(l), . . . , a{n), where 

a(m) = {u\i,B^''"{m) ^ A^''' ,v\i) 
for all m e 1, . . . , n. In particular, all these arcs start in local state u\i of P, and end in local state v\i of Pj. 

Proposition 8 (Vi<„<„ i?r^"(^)) ^ 

Proof. Immediate from the definitions and distribution of A through V. □ 
It remains to show how each a(m) can be rewritten into pairwise normal form. For all j ^ {i, c}, define 

Bl^^{m,j)^LITi{tvj,.c)A{u\j} 

For j = c. 

Bl\m, c) LIT-^itvl^.j) A \u\c\ A (A.e^H ^li = «(^)) 

Note that this works for both c ^ i and c = i. The case c = z is why we needed to allow a;'^ and tvl^. 
Otherwise we would need a special case to deal with c = i. In effect, when c = i we include B"'"{m,c) as 
a conjunct of Bf'^{m,i), where Pe is the process arbitrarily chosen to "share" xl^ and tvl^ with Pj. This 
allows us to conform to pairwise normal form, and use (Aj^j Bf'^{m,j)) as the guard of the arc: 

Proposition 9 {Aj^iB^'^imJ)) ^ B^im) 

Proof of Proposition 9. Proof by definition, B^''"{m) = Dm A Aj^til^bll" A i/\xeSH^ci — u{x)). We 
also have, by construction. Dm = LIT^itv^.j) A ^.^^^ .yLITi{tv>.^.c). Hence B^^\m) = LIT^{tv%.j) A 

Splitting up conjunctions and rearranging gives us: 

^ iAmc.i} Lm,M,.(^) A (A,^{c,«}l"bl) A LIT;;,Mr-j) a luk} A (Axe5H<i = "(^))- 
Grouping together the first two conjmictions, and the last three: 
Bf'^im) ^ (A,^{e,.} LIT^itv'-^-^) A \u\j}) A [LIT^{tvl,.j) A \u\c\ A (A.^sw ^ 

^Now LIT^{tvl^.c) A \u\j} is just B^^m^j), and [LIT^^itv^^^.j) A {tttcl A (Axe^H^;^,, = is just 

B^'^{m,c). Hence 

Brim) = (A,^{c,} Sr''("^,i)) A Sr'^(m, c). Thus Sf'^M = A,-^i ^r'^i^^i)- ° 

The timestamps are written and read by Pi and no other process. To achieve pariwise normal form, 
we now make the part of the local state of Pj. Thus, we replace each local state of Pj by 3^ local 
states, each of which agrees with r, on the atomic propositions in APi- There is one such state for every 
different assignment of timestamp values to tl,...,t^. Call the new process that results PP,, and let 
PP = {St, PPi II • • • II PPk)- Note that PP has the same initial states as P. Let r- be a local state of PPj, 
and let tj, ... ,t^ have some values d\,. . . ,dK in r ■ . Likewise let s ■ agree with Sj on the atomic propositions 
in AVi, and let t}, . . . , ff- have some values d[, . . . ,d'p^ in s^- Then, the set of arcs ARCS^'^{r[, s-) is defined 
as follows. 

APC5f '"(rj, s^) contain n arcs, a'(l), . . . , a'(n), where a'{m) = 
{r[, (S:jjiiBBf'^{m,j) — > AA^'^{m,j),s^) for all m G 1, . . . , n. In particular, all these arcs start in r'^ and end 
in Also: 
For all i 7^ i, 

BBr{m,j) ^ B^^i A step{d„tv=j,.z) = d'^ 
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For all j i, 



AA"'''{m,j) = [tvlj := {. . . ,step{dj,tv]^.i), . . .)■ \\^(.sH x\j := v{x)) 

The new conjunct step(dj ,tvj^.i) = d^ in effect checks that the values of the timestamps for all j in the 
new local states are exactly those that the operation step{tl,tj) would return, i.e., those values that would 
indicate that Pi has excecuted later than Pj. The timestamp vector tvjj can now be updated correctly 
without violating pairwise normal form, since the update can be performed using the dj values, which are 
constants, and the tVj^.i. which are shared pairwise between Pj and Pj, and are therefore permitted by 
pairwise normal form. 

Let Mpp = {Stp, Sp, Rpp) be the state-transition diagram of PP. Note that PP and P have the same 
initial states, and the same global states, by definition. 

Theorem 10 Mp ~ Mpp 

Proof of Theorem 10 Proof. Let (r, i, s) G Rp. (r, i, s) results from executing an arc ARC^'^ . Hence B^'^ 
is true in state r. By Proposition 8, some B'^'^{m) is true in state r. Hence Aj^^i -^^'''('^'i) ^^^^ state 
r, by Proposition 9. 

Now let r',s' be the states in Mpp that correspond to states r,s in Mp, that is r' and r agree on all 
atomic propositions and shared variabled (including timestamps) and likewise s and s' . 

Let r- = r'\i, s- = s' \i. Let tj, . . . ,tf have values di, . . . ,dK in (and hence also in r'), and values 
d'l, . . . ,d'j^ in s- (and hence also in ,s'). (r, r' are essentially different ways of refereeing to the same state, to 
indicate whether the containing structure is Mp or Mpp, and likewise s,s'). 

Since (r, ?',.s) results from executing ARC^'^ , step(dj,tvj^.i) = d!^ must hold, since the action A"'^ of 
ARC^'^ contains the assignment II j-^i <^ := step{tj,tv'!j^.j). Hence BBl^'" {m, j) is true in state r'. Thus, 
arc a'{m) of the set ARCS^'^{rl, s-) is enabled in state r'. Execution of a'(m) in state r' leads to state s', 
by definition of ^^"'''(m, j). Hence {r',i's') G Rpp. 

Now let (r', i, s') € Rpp. {r',i, s') results from executing an arc a'(m) of some set ARCS^'^{rl, s^), where 
Tj = r' \i, Sj = s' \i. We can run the previous argument "backwards" to show that ARC^'^ is enabled in state 
r of Mp, and its execution results in state s of Mp. Hence {r,i,s) € .Rp. 

We have in fact showed that Rp = Rpp, i.e., that the structures Mp and Mpp are identical. Hence they 
are certainly bisimilar. □ 

Corollary 11 Mq ~ Mpp 

Proof. Immediate from Proposition 3, Corollary 7 and Theorem 10, along with the transitivity of bisimula- 
tion. □ 

Since PP is in pairwise normal form by construction, our main result follows immediately: 

Theorem 12 Let Q be any finite-state concurrent program. Then there exists a concurrent program PP 
such that (1) the global state transition diagrams of Q and PP are bisimilar, and (2) PP is in pairwise 
normal form. 

Our result shows that PP and Q have essentially the same behavior, since strong bisimulation is the 
strongest notion of equivalence between concurrent programs. A consequence of our result is that PP and 
Q satisfy the same specifications, for many logics of programs. Recall that Mpp and Mq are the global 
state transition diagrams of P and Q, respectively. Let / be a formula of the temporal logic CTL* [10], and 
define Mq, u\= f to mean Vm € StQ : Mq,u \= f , and Mpp, s ^ / to mean Vs € Stp : Mp, s \= f, where 
Mq, u\= f and Mpp, s \= f refer to the usual satisfaction relation of CTL* [10]. Then we have: 

Corollary 13 Let f be a formula of CTL*. Then Mq ^ f iff Mpp ^ /• 



12 



Proof. Immediate from Corollary 11 and Theorem 14 in [7, chapter 11]. 

We could easily establish similar results for other logics, such as the mu-calculus. 



□ 



4.4 Complexity Results 

For a single process Qi, define \Qi\, the size of Qi, to be the size of the representation of Qi using a 
standard complexity-theoretic encoding, i.e., enumeration for sets, character strings for guards and actions 
etc. Likewise define |-P-Pi|. Define the size of Q, to be \StQ\ + + • • • + \Qk\, and \PP\, the size of 
PP, to be \Stp\ + \PPx\ + ■■■ + \PPkV 

Define the size of a Kripke structure to be the number of states plus the number of transitions. 
Theorem 14 \PP\ is in 0{Kexp{\Q\ + K)). 

Proof. \Mq\ is in 0{exp{\Q\)) by Definition 2. \Mq\ is in 0{K ■ \Mq\), since each state and transition in 
Mq is "replicated" at most K times. So \Mq\ is in 0{Kexp{\Q\)). 

For each transition in Mq, PP contains a number of arcs that is in 0{exp{K)). Hence \PP\ is in 
0(|MA| • exp{K)), and so \PP\ is in 0{K ■ exp{\Q\) ■ exp{K)). Thus \PP\ is in 0{Kexp{\Q\ + K)). □ 



5 Related Work 

It has been long known that a multiple-reader multiple writer atomic register can be implemented using a set 
of single-reader single- writer registers, and three are many such atomic register constructions in the literature 
[6, chapter 10]. Since, by definition, a single-reader single- writer register is shared by two processes, these 
constructions may seem to subsume our result. However, the atomic register constructions do not respect 
pairwise normal form. For example, they may involve the operation of taking the maximum over a set of 
single-reader single- writer registers that involve many different pairs of processes. This direct use of register 
values corresponding to many different pairs, in computing a single expression value, is a direct violation of 
pairwise normal form. 

6 Conclusions and Future Work 

We showed that any finite-state shared memory concurrent program can be rewritten in pairwise normal 
form, up to strong bisimulation, for a high- atomicity model of concurrent computation. A topic of future 
work is to establish a similar result in a low-atomicity model, for example that presented in [3] . Our results 
have significant implications for the efficient synthesis and model-checking of finite-state shared memory 
concurrent programs. In particular, they show that the approaches of [1, 2, 5] do not sacrifice any expressive 
power by restricting attention to pairwise normal form. 
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